[Xen-devel] [RFC v1] kexec: Prototype for signature verification within Xen

as well as make the correction for passing the complete kernel file to Xen. Signed-off-by: Eric DeVolder --- configure.ac| 8 kexec/arch/x86_64/kexec-bzImage64.c | 18 ++ kexec/kexec-xen.c | 7 +++ kex

[Xen-devel] [RFC v1 2/8] kexec: implement kexec_file_load() for PECOFF+Authenticode files

This change adds to Xen the kexec_file_load() entry point. The kexec_file_load() is nearly identical to kexec_load(), but with the added code to handle checking and handling of PECOFF Authenticode signature verification. Signed-off-by: Eric DeVolder --- xen/common/kexec.c | 131

[Xen-devel] [RFC v1 1/8] kexec: add kexec_file_load to libxenctrl

This change adds a new entry point in libxenctrl for the kexec_file_load() operation. The code for kexec_file_load() is nearly identical to kexec_load() other than the use of hypercall op KEXEC_CMD_kexec_file_load rather than KEXEC_CMD_kexec_load. Signed-off-by: Eric DeVolder --- tools/libxc

[Xen-devel] [RFC v1 3/8] kexec: new file openssl-1.1.0i.patch

This patch creates a new file that is in turn a patch that contains a small number of changes needed in order to soldier through the compilation of all the OpenSSL sources within Xen. This patch is applied to OpenSSL in xen.spec. Signed-off-by: Eric DeVolder --- openssl-1.1.0i.patch | 378

[Xen-devel] [RFC v1 6/8] kexec: support files for PECOFF Authenticode signature verification

perform signature verification. This file essentially contains the two files https://github.com/vathpela/verify/Cryptlib/Pk/[CryptPkcs7.c|CryptAuthenticode.c] which together provide the signature verification capability. Signed-off-by: Eric DeVolder --- xen/common/TrustedCert.h | 113

[Xen-devel] [RFC v1 4/8] kexec: xen/common/Makefile: include building of OpenSSL

Changes needed to the xen/common/Makefile in order to stitch in the compiling of OpenSSL as well as the PECOFF file decoder and signature verification code. Signed-off-by: Eric DeVolder --- xen/common/Makefile | 4 1 file changed, 4 insertions(+) diff --git a/xen/common/Makefile b/xen

[Xen-devel] [RFC v1 5/8] kexec: changes to facilitate compiling OpenSSL within Xen

the (userland) OpenSSL source files, as opposed to modifying about 145 source files. Signed-off-by: Eric DeVolder --- xen/arch/x86/Rules.mk | 2 + xen/common/xmalloc_tlsf.c | 25 xen/include/asm-x86/types.h | 2 + xen/include/xen/types.h | 3 + xen

[Xen-devel] [RFC v1 8/8] kexec: include OpenSSL build in xen.spec

of OpenSSL. Signed-off-by: Eric DeVolder --- xen.spec | 78 1 file changed, 78 insertions(+) diff --git a/xen.spec b/xen.spec index 4e36f7e..e026f28 100644 --- a/xen.spec +++ b/xen.spec @@ -1,5 +1,7 @@ %{!?buildid: %{expand

[Xen-devel] [RFC v1 0/8] Prototype for kexec signature verification within Xen

. 10: Licensing of the various pieces may be problematic. Note that there is a corresponding change to kexec-tools to allow/enable the Xen kexec_file_load() hypercall. Those changes are not part of this change set, but will be posted separately. Anyway, this does work, for me. eric Eric DeVold

[Xen-devel] [RFC v1 7/8] kexec: Xen compatible makefile for OpenSSL

This is the Xen compatible makefile for use in building OpenSSL within Xen. This file was generated by capturing a "normal" build of OpenSSL and parsing that build to ensure the correct list of options and files. Signed-off-by: Eric DeVolder --- Makefile.openssl-1.

[Xen-devel] RFC Xen signature verification for kexec

In reading this and providing feedback, I'm hoping to obtain community consensus on the following questions: - Is there interest in this? - Which approach is favored? - Are there other approaches/efforts? - Other concerns/feedback? Executive Summary Xen currently lacks signature verification infr

Re: [Xen-devel] [PATCH v4] kexec-tools: Perform run-time linking of libxenctrl.so

Daniel, I've implemented your feedback and posted the following: [PATCH v1] kexec-tools: Tweak run-time handling of libxenctrl.so Regards, eric On 01/18/2018 05:55 AM, Daniel Kiper wrote: On Wed, Jan 17, 2018 at 10:39:01AM -0600, Eric DeVolder wrote: When kexec is utilized in

[Xen-devel] [PATCH v4] kexec-tools: Perform run-time linking of libxenctrl.so

or Xen, thus these versions are expected to "fail" in a Xen environment. On the flip side, since a non-Xen environment does not need libxenctrl.so, all six scenarios are expected to "pass" in a non-Xen environment. The results match these expectations! And, of course, import

Re: [Xen-devel] [PATCH v3] kexec-tools: Perform run-time linking of libxenctrl.so

Responses are inlined below. Eric On 01/16/2018 03:39 PM, Daniel Kiper wrote: On Fri, Jan 12, 2018 at 03:21:13PM -0600, Eric DeVolder wrote: When kexec is utilized in a Xen environment, it has an explicit run-time dependency on libxenctrl.so. This dependency occurs during the configure stage

Re: [Xen-devel] [PATCH v2] kexec-tools: Perform run-time linking of libxenctrl.so

Daniel, Thanks for the feedback, see responses inline below. I've posted v3 of the patch. Eric On 12/18/2017 07:43 AM, Daniel Kiper wrote: On Thu, Dec 14, 2017 at 04:48:01PM -0600, Eric DeVolder wrote: When kexec is utilized in a Xen environment, it has an explicit run-time dependen

[Xen-devel] [PATCH v3] kexec-tools: Perform run-time linking of libxenctrl.so

or Xen, thus these versions are expected to "fail" in a Xen environment. On the flip side, since a non-Xen environment does not need libxenctrl.so, all six scenarios are expected to "pass" in a non-Xen environment. The results match these expectations! And, of course, import

[Xen-devel] [PATCH v2] kexec-tools: Perform run-time linking of libxenctrl.so

x0038d680) /lib64/ld-linux-x86-64.so.2 (0x562dc0c14000) # build/sbin/kexec -v kexec-tools 2.0.16 Currently this feature is enabled with the following: ./configure --with-xen-dl --with-xen=no This is a bit clunky. I welcome feedback such as better names and/or usage of --with,